Co-op Confirms Hackers Stole Customer Data
UK retail giant Co-op has acknowledged that threat actors accessed and stole customer data during a recent cyberattack, which the company initially downplayed. In a statement to BleepingComputer, Co-op said:
“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.”
The company added that the breach affected “a significant number of our current and past members.” Stolen data includes names and contact information. However, Co-op clarified:
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.”
Attack Linked to DragonForce Ransomware Operation
The DragonForce ransomware group has claimed responsibility for the attack. The BBC reported that affiliates of DragonForce contacted Co-op’s cybersecurity leadership through Microsoft Teams to share screenshots of stolen data and extortion messages.
The hackers claim to possess data on 20 million individuals who enrolled in Co-op’s membership rewards program.
The same DragonForce affiliates reportedly breached Marks and Spencer last week and have also claimed responsibility for a recent attempted cyberattack on Harrods.
DragonForce operates under a ransomware-as-a-service (RaaS) model. Affiliates carry out breaches, steal data, and deploy encryption malware. DragonForce then takes 20–30% of any ransom paid.
Social Engineering Enabled Initial Access
According to the sources that the attack began on April 22 and used techniques similar to those in the Marks and Spencer breach. Threat actors reportedly used social engineering to reset an employee’s password, gaining access to the network.
Once inside, they extracted the NTDS.dit file—an Active Directory database containing Windows password hashes.
The attackers employed tactics commonly linked to the groups known as Scattered Spider or Octo Tempest, including:
- Social engineering
- SIM swapping
- MFA fatigue attacks
These actors are known for aggressive extortion methods and advanced intrusion techniques.
Defensive Measures Underway
Co-op is now rebuilding its Windows domain controllers and enhancing its Microsoft Entra ID security with support from Microsoft’s Detection and Response Team (DART). KPMG is providing assistance with Amazon Web Services (AWS) recovery.
Following the attack, Co-op issued an internal advisory urging staff to exercise caution when using Microsoft Teams, suggesting concerns about lingering access by the attackers.
When contacted again, Co-op declined to share additional information beyond its original statement.
Scattered Spider: A Persistent Threat Actor Community
While DragonForce carried out the ransomware deployment, the tactics mirror those used by the threat actor collective commonly referred to as Scattered Spider. This name does not refer to a fixed group but rather a loose network of English-speaking hackers operating on Telegram, Discord, and cybercrime forums.
Some members linked to early Scattered Spider operations—including the attacks on MGM Resorts and Reddit—have reportedly been arrested by law enforcement in the US, UK, and Spain. However, similar attacks continue, possibly by new or copycat actors using the same playbook.
Cybersecurity researcher Will Thomas has compiled guidance for defending against these types of attacks, which have become increasingly disruptive across enterprise environments.
